Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.0271 Denial of Service in SPNEGO - MIT krb5 releases krb5-1.7 and later 25 March 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: MIT krb5 releases krb5-1.7 and later Publisher: MIT Kerberos Team Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2010-0628 CVE-2009-0845 Reference: ESB-2009.0342 ESB-2009.0304 Original Bulletin: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2010-002.txt Comment: Please note as the vendor states: "This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol." The vulnerability is scheduled to be correcting in upcoming releases but a patch has been made available in the meantime. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2010-002 MIT krb5 Security Advisory 2010-002 Original release: 2010-03-23 Last update: 2010-03-23 Topic: denial of service in SPNEGO CVE-2010-0628 VU#839413 denial of service in SPNEGO CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.1 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= In MIT krb5 releases krb5-1.7 and later, the SPNEGO GSS-API mechanism can experience an assertion failure when receiving certain invalid messages. This can cause a GSS-API application to crash. This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol. IMPACT ====== An unauthenticated remote attacker could cause a GSS-API application, including the Kerberos administration daemon (kadmind) to crash. AFFECTED SOFTWARE ================= * kadmind in MIT releases krb5-1.7 and later * FTP daemon in MIT releases krb5-1.7 and later * Third-party software using the GSS-API library from MIT krb5 releases krb5-1.7 and later * MIT releases prior to krb5-1.7 did not contain the vulnerable code. FIXES ===== * The upcoming krb5-1.7.2 and krb5-1.8.1 releases will contain fixes for this vulnerability. * Apply the patch available at http://web.mit.edu/kerberos/advisories/2010-002-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-002-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2010-0628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0628 CERT: VU#839413 http://www.kb.cert.org/vuls/id/839413 ACKNOWLEDGMENTS =============== Thanks to Nalin Dahyabhai, Jan iankko Lieskovsky, and Zbysek Mraz (all from Red Hat) for discovering and reporting this vulnerability. CONTACT ======= The MIT Kerberos Team security contact address is <krbcore-security@mit.edu>. When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu> DETAILS ======= A patch to fix CVE-2009-0845 interacted poorly with new functionality introduced in krb5-1.7. This allowed an error condition to occur where receiving an invalid packet could cause an assertion failure, crashing the program and causing denial of service. When the spnego_gss_accept_sec_context() function (in src/lib/gssapi/spnego/spnego_mech.c) receives an invalid packet during the beginning of a GSS-API protocol exchange, it can set some internal state that tells it to send an error token without first creating a context handle, but some subsequently executed code contains a call to assert() that requires that the context handle be non-null. REVISION HISTORY ================ 2010-03-23 original release Copyright (C) 2010 Massachusetts Institute of Technology - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAkupAZsACgkQSO8fWy4vZo4ETACgn9xRUl3CTCiRd2vF1PBOaQ8b EfUAoPz32NUU/mk+H8kej8fWQFo3iwcZ =LHMP - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFLqr8p/iFOrG6YcBERAufnAJ90OebvMZFOEjEhtiCqZ+Q9yN6TEQCfZW0z Jt6MGe7Oyp02EC0kRWZoOfA= =FAP3 -----END PGP SIGNATURE-----